Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mok: remove MokListTrusted from PCR 7 #519

Merged
merged 1 commit into from
Nov 14, 2022
Merged

mok: remove MokListTrusted from PCR 7 #519

merged 1 commit into from
Nov 14, 2022

Conversation

baloo
Copy link
Contributor

@baloo baloo commented Oct 21, 2022

MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7.

See:
#423
4e51340

Fixes #484
Fixes #492

@baloo
mok: remove MokListTrusted from PCR 7
fbdab04 
MokListTrusted was added by mistake to PCR 7 in 4e51340. The value of
MokListTrusted does not alter the behavior of secure boot so, as per
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36
(section 3.3.4 PCR usage) so it should not be factored in the value of
PCR 7.

See:
  rhboot#423
  rhboot@4e51340

Fixes rhboot#484
Fixes rhboot#492

Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
@baloo
Copy link
Contributor Author

baloo commented Oct 21, 2022

Before:

- EventNum: 24
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 4
  Digests:
  - AlgorithmId: sha1
    Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04"
  - AlgorithmId: sha256
    Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d"
  - AlgorithmId: sha384
    Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38"
  - AlgorithmId: sha512
    Digest: "b26c6842867487f14a6e326f96b6c19d1278d02d099862d70355cec886d97a2b7a7209569189fd0ce6d94c3302f18e8f5b157327288b5ef4f6447415d8af292b"
  EventSize: 68
  Event:
    VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
    UnicodeNameLength: 9
    VariableDataLength: 18
    UnicodeName: SbatLevel
    VariableData: "736261742c312c323032313033303231380a"
- EventNum: 25
  PCRIndex: 7
  EventType: EV_EFI_VARIABLE_AUTHORITY
  DigestCount: 4
  Digests:
  - AlgorithmId: sha1
    Digest: "3efeb87af48ab5aee7fcbd3514bab719ed865c1c"
  - AlgorithmId: sha256
    Digest: "5f62a2107fa11ce0485fd252d2e6c603cb8ed075861f9513bfed0a26bf6ed62b"
  - AlgorithmId: sha384
    Digest: "841b29f5200c91e1a02e64a6636587bac5b85496a67e6d3c3cf52415a7ab726b4d2259134d84e9082191ac8ee15b7890"
  - AlgorithmId: sha512
    Digest: "92b03acd457b86effba0b8f3886ab8fafbba745b1a4714d9c86c5b78204291fe0fb4e883db9b89d4dedfe6c12f2e72b8ec00d1dbf3a78302814e1ace570c2d22"
  EventSize: 61
  Event:
    VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
    UnicodeNameLength: 14
    VariableDataLength: 1
    UnicodeName: MokListTrusted
    VariableData: "01"
- EventNum: 26
  PCRIndex: 14
  EventType: EV_IPL
  DigestCount: 4
  Digests:
  - AlgorithmId: sha1
    Digest: "bf8b4530d8d246dd74ac53a13471bba17941dff7"
  - AlgorithmId: sha256
    Digest: "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a"
  - AlgorithmId: sha384
    Digest: "8d2ce87d86f55fcfab770a047b090da23270fa206832dfea7e0c946fff451f819add242374be551b0d6318ed6c7d41d8"
  - AlgorithmId: sha512
    Digest: "7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339"
  EventSize: 15
  Event:
    String: |-
      MokListTrusted

After:

- EventNum: 24
 PCRIndex: 7
 EventType: EV_EFI_VARIABLE_AUTHORITY
 DigestCount: 4
 Digests:
 - AlgorithmId: sha1
   Digest: "15875d39b8872f8aff3a92fc9f9e40ac75268e04"
 - AlgorithmId: sha256
   Digest: "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d"
 - AlgorithmId: sha384
   Digest: "f143e2948d63fcd3442e841bb36a7e180871f0a8946541961fe9d12e70d0727874600956264dba531e2edd8729c5eb38"
 - AlgorithmId: sha512
   Digest: "b26c6842867487f14a6e326f96b6c19d1278d02d099862d70355cec886d97a2b7a7209569189fd0ce6d94c3302f18e8f5b157327288b5ef4f6447415d8af292b"
 EventSize: 68
 Event:
   VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
   UnicodeNameLength: 9
   VariableDataLength: 18
   UnicodeName: SbatLevel
   VariableData: "736261742c312c323032313033303231380a"
- EventNum: 25
 PCRIndex: 14
 EventType: EV_IPL
 DigestCount: 4
 Digests:
 - AlgorithmId: sha1
   Digest: "bf8b4530d8d246dd74ac53a13471bba17941dff7"
 - AlgorithmId: sha256
   Digest: "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a"
 - AlgorithmId: sha384
   Digest: "8d2ce87d86f55fcfab770a047b090da23270fa206832dfea7e0c946fff451f819add242374be551b0d6318ed6c7d41d8"
 - AlgorithmId: sha512
   Digest: "7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339"
 EventSize: 15
 Event:
   String: |-
     MokListTrusted

@chrisccoulson
Copy link
Collaborator

This looks ok to me as long as others are agreed that MokListTrusted shouldn't be measured to PCR7 (I don't think it should be for the reasons in #484)

@vathpela vathpela merged commit aa1b289 into rhboot:main Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incomplete MokListTrusted measurment in binary_bios_measurements Should MokListTrusted be measured to PCR7?
3 participants
@baloo @chrisccoulson @vathpela